The one tiny slip that put LulzSec chief Sabu in the FBI's pocket

IRC relays 'infiltrated by the feds'

Protecting against web application threats using SSL

Analysis The man named by the FBI as infamous hacktivist Sabu was undone by an embarrassing security blunder, it has emerged.

The alleged LulzSec kingpin eventually copped to a battery of hacking charges last August and was reported to have been "co-operating" with the FBI in the months leading up to yesterday's arrests.

Police locked onto Hector Xavier Monsegur, an unemployed 28-year-old from New York – allegedly LulzSec hacktivist supremo Sabu – after he apparently made the mistake of logging into an IRC chat server without using the Tor anonymisation service1.

According to Robert Graham of Errata Security Monsegur exposed his IP address, which allowed federal investigators to request records from ISPs and track down his location to a flat shared with his two sons on Manhattan's Lower East Side.

"They caught him because just once, he logged onto IRC without going through Tor, revealing to the FBI his IP address," Graham claims. "This reveals a little bit about the FBI, namely that they've infiltrated enough of the popular IRC relays to be able to get people's IP addresses. We've always suspected they could, now we know."

It's unclear precisely when investigators identified Monsegur as a prime suspect in the case. However by early June separate digital sleuthing by various parties – most notably @backtracesec and purported ex-military anti-WikiLeaks hacker The Jester (th3j35t3r) – led to the public fingering of Monsegur as Sabu.

Monsegur was NOT the only person named as Sabu2. The Jester previously named (he later apologised for his error) an innocent Portuguese web designer as a suspect, for example. Pastebin has been full of various documents giving multiple "identities" and background details for supposed members of LulzSec and Anonymous for months.

However the fact that Monsegur was named at all caused investigators to fear he would destroy evidence if they failed to act quickly. The Puerto Rican immigrant's flat was raided on 7 June last year.

Fox News reports that agents had already obtained a warrant to pull Monsegur's Facebook file, and said they found evidence that the suspect had traded credit card numbers with other hackers. This was enough to execute a warrant to seize equipment and arrest Monsegur.

The report said investigators had coerced the unemployed dad into co-operating by threatening him with two years in prison away from his children on the easy-to-prove ID theft charges alone if he failed to turn informant on the rest of the LulzSec crew. The feds also persuaded him to turn over the encryption keys on his battered laptop, allowing them to obtain evidence of Monsegur's "hacking activities".

“It was because of his kids,” an FBI source told Fox News. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”

Monsegur was bailed on the identity theft charges and returned home after agreeing to act as an informant against his erstwhile hacktivist colleagues, officials told Fox News. Neither his family nor his "brothers" in Anonymous and LulzSec were left any the wiser that he was then working as a co-operating witness, his "handlers" said.

Sabu's anti-capitalist rants and brazen boasts continued after Monsegur's changed status, they said. But a minority – most notably a hacktivist using the handle Virus – suspected he might have been acting as a federal informant around this time.

Virus was suspicious when Sabu disappeared offline for about a week and by his later alleged inducement to hack into Backtrace Security (an outfit tracing members of LulzSec) for money – an offer Virus declined. Virus confronted Sabu with his suspicions that he might be a snitch in a heated exchange, recorded on PasteBin here.

Just a normal New Yorker

These suspicions were isolated and the vast remainder of LulzSec and legions of members of hacktivist collective Anonymous continued to follow Sabu's lead.

What they didn't know was that for the last eight months or so, and certainly from the time in mid-August when Monsegur secretly pleaded guilty to a slew of hacking offences, was that the feds had been monitoring exchanges and gathering evidence against them as well as passing on information that was used to minimise the damage caused by some of the planned operations. From mid-August onwards, sources told Fox News, Monsegur allegedly worked almost out of the FBI's New York City offices almost every day.

Later his handlers allowed him to work using a laptop provided by the FBI while under close 24-hour monitoring and supervision.1

Monsegur was watched by his federal handlers while maintaining the same habits and online presence, spending between eight and 16 hours a day at his computer and often working through the night. His FBI handlers orchestrated an elaborate disinformation campaign, using the AnonymousSabu Twitter account and interviews with journalists to spread disinformation.

Ironically, the man alleged to be the frontman and chief rabble-rouser for #FuckFBIFridays – a weekly event in the Anonymous calendar – had been cheering on attacks against law enforcement systems from behind an FBI desk, while at the same time working to minimise any damage, the G-men said.

Monsegur reportedly worked with his handlers to mitigate the damage caused by the hack on 70 law enforcement websites in July 2011, minimising the amount of information that came out a month later. The suspect worked with the FBI to inform 300 government, financial and corporate entities in the US and elsewhere of problems of their systems that had come to the attention of hackers, his handlers said.

He also apparently fact-checked boastful claims frequently made by hacktivists who, as before, continued to come to Sabu with plans for operations, the FBI said.

On one occasion, at the behest of his FBI handlers, Monsegur successfully ordered the end of a DDoS attack against the CIA. “You’re knocking over a bee’s nest,” he warned his associates. “Stop.”

He then allegedly helped the FBI track down and gather evidence against his hacking associates, information that only became public with the unsealing of his indictment [PDF] and the arrest of suspected hacktivists in the US, Ireland and the UK on Tuesday.

Monsegur adapted to his new status to the point that he reportedly attempted to pass himself off as a federal agent when he was collared by New York city cops last month, Gawker reports.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.